Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access…
[org.jenkins-ci.plugins:proxmox] Password stored in plain text by Jenkins Proxmox Plugin
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
References
https://n…
[org.jenkins-ci.plugins:dbCharts] Passwords stored in plain text by Jenkins dbCharts Plugin
Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file hudson.plugins.dbcharts.DbChartPublisher.xml on the Jenkins controller as part of its configuration.
These passwords can be viewed b…
[org.postgresql:postgresql] Path traversal in org.postgresql:postgresql
** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that …
[parsec-service] Chrono has potential segfault issue in SPIFFE authenticator
Impact
Several vulnerabilities have been reported in the time and chrono crates related to handling of calls to localtime_r. You can follow some of the discussions here and here, and the associated CVE here. In our case, the issue with the dependency w…
[onionshare-cli] Incorrect Permission Assignment for Critical Resource in OnionShare
Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund’s Red Team lab. This is an issue from that penetration test.
Vulnerability ID: OTF-006
Vulnerabi…
[org.jenkins-ci.plugins:publish-over-ssh] Password stored in plain text by Jenkins Publish Over SSH Plugin
Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
References
https://nvd.nist.gov/…
[k8s.io/kubernetes/pkg/kubectl] ANSI escape characters not filtered
kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.
References
https://nvd.nist.gov/vuln/detail…
[dev.personnummer:personnummer] personnummer/java vulnerable to Improper Input Validation
This vulnerability was reported to the personnummer team in June 2020. The slow response was due to locked ownership of some of the affected packages, which caused delays to update packages prior to disclosure.
The vulnerability is determined to be low…
[defaults-deep] Prototype Pollution in defaults-deep
Versions of default-deep before 0.2.4 are vulnerable to prototype pollution
Recommendation
Update to version 0.2.4 or later.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-3723
https://hackerone.com/reports/310514
https://github.com/advisories/G…